Linux Updates

Rollback a package version (APT)

Practical Linux guide: rollback a package version (APT) without the usual guesswork.

10 min read Beginner Updated 9 Jun 2026
Linux library Start the guide

Step-by-step guide

Work through each section in order. Stop when your issue is resolved — you do not need every step for every situation.

Warning

Package downgrades and holds can leave dependencies inconsistent. Document what you change and test services after any rollback.

What you will achieve

Downgrade a single package on Debian/Ubuntu when a bad update breaks a service — without reinstalling the whole system.

1) Find available versions

apt-cache policy nginx
apt list -a nginx

2) Install a specific version

sudo apt install nginx=1.24.0-2ubuntu7.1
sudo apt-mark hold nginx

Pin exact version syntax: package=version. Hold immediately so the next upgrade does not bump it back.

3) If old versions are gone from mirrors

grep -r nginx /var/log/apt/history.log
# download .deb from snapshots.debian.org or old-releases.ubuntu.com
sudo dpkg -i nginx_1.24.0-2ubuntu7.1_amd64.deb
sudo apt --fix-broken install

4) Fedora note

RPM downgrades need dnf downgrade package if the older build remains in repos; otherwise use dnf install package-version from Koji.

Verify

dpkg -l nginx
nginx -v
sudo systemctl status nginx

5) Snapshot before downgrade

sudo apt install apt-utils
# Timeshift or btrfs snapshot recommended

6) Cascading dependency issues

Downgrading libc or openssl breaks everything. Restrict rollbacks to application packages (nginx, php, postgres client), not core libraries unless you enjoy rescue mode.

7) apt pinning for permanent downgrade

Package: nginx
Pin: version 1.24.0-2ubuntu7.1
Pin-Priority: 1001

Save in /etc/apt/preferences.d/nginx. Priority above 1000 forces downgrade even when newer exists.

Verify service health post-rollback

sudo nginx -t
curl -I http://localhost
journalctl -u nginx -b --no-pager | tail -20

8) CI/CD pin alignment

Application deploy pipelines pinning Node 20 must match system packages if they interact — document OS package versions in deployment manifests.

9) Document incident timeline

When rolling back after outage, note previous version, new broken version, and CVE implications of staying pinned — security team needs the trade-off in writing.

Prerequisites

Exact broken and target versions from apt-cache policy. Service downtime window. Snapshot recommended. Old deb packages may need fetching from snapshot.debian.org if removed from mirrors.

Notify dependents

If nginx rollback affects customer sites, update status page before systemctl restart — rollback fixes binary but active connections still drop on restart.

Post-downgrade conffiles

Older package may ship different /etc defaults — dpkg --force-confold keeps your config; compare .dpkg-dist files after rollback.

Library dependency chains

Rolling back php8.3-fpm may require matching php8.3-common and php8.3-cli at same version — apt install php8.3-fpm=8.3.x php8.3-common=8.3.x in one transaction. Mixed minor versions leave Apache with module load failures. After rollback run php-fpm8.3 -t and hit a phpinfo endpoint before declaring victory.

Related guides

apt linux package rollback version

Related guides

Continue with these next if you are building a fuller setup or troubleshooting path.

Updates
dist-upgrade vs release upgrade
Practical Linux guide: dist-upgrade vs release upgrade without the usual guesswork.
Read guide
Updates
Hold packages on APT systems
Practical Linux guide: hold packages on APT systems without the usual guesswork.
Read guide